Reputation: 18855
Rails Accessible Attribute Confusion
I'm relatively new to Ruby on Rails and I feel like I am doing something wrong here. I'm setting up a payment model and can't figure out how to do the accessible attributes stuff.
My cash_transaction model has:
attr_accessible :billing_address_line_one, :billing_address_line_2, :billing_city, :billing_country, :billing_post_code, :payee_first_name, :payee_last_name, :card_expiry, :card_type
attr_accessor :card_number, :card_verification
Ok, so I want to submit the form and validate and maybe save to a database in future if the payment goes through.
If I leave :card_number, :card_verification in the attr_accessible, Rails gives the error:
*unknown attribute card_number*
Which is fair enough because I don't want to save that in my DB.
When I try:
@cash_transaction = current_user.cash_transactions.build(params[:cash_transaction])
I get a mass assignment security error when those parameters are not in attr_accessible.
I have got around both errors with:
@cash_transaction = current_user.cash_transactions.build(params[:cash_transaction].except(:card_number, :card_verification))
@cash_transaction.card_number = params[:cash_transaction][:card_number]
@cash_transaction.card_verification = params[:cash_transaction][:card_verification]
But that's just the same as building with those parameters included in the hash anyway so I'm cheating it?
What do?
Upvotes: 1
Views: 1616
Answers (1)
Reputation: 10142
Rails is quite careful against several kinds of injections. And this can be confusing.
attr_accessible is a Rails thing, similar to the Ruby Module method attr_accessor, yet different. attr_accessible does allow access to the specified arguments, much in the same way as attr_accessor (the object gets "getters" and "setters"). attr_accessible does also more work to protect against injections.
When a parameter dictionary is passed to create an object, each parameter is checked against the whitelist defined by attr_accessible. If the parameter belongs to the list, it gets assigned and persisted. If not, the mass-assignment security error is raised to prevent any unwanted assignment---a potential security hole. attr_accessor does not do all that, as it does not make sense in plain Ruby.
Now card_number and card_verification should not be persisted according to your specifications. They belong to the logic related to cash transaction only, so choosing instance attributes seems a good choice at this point. As plain attributes of CashTransaction instances, they need be treated as such, with plain Ruby access methods. The short answer to all that is @gylaz'.
Wordy feedbacks above. For concrete examples, the ActiveModel's code and related comments are very informative.
Upvotes: 2
Related Questions
- Mass assignment is not restricted using attr_accessible
- How to mass-assign in rails even though attributes are in attr_accessible?
- Virtual attributes and mass-assignment
- Why am I getting a Mass Assignment Error when I'm using Attr_Accessable?
- How to make all model attributes accessible for mass-assignment?
- Rails mass assignment definition and attr_accessible use
- Assignment of a protected attribute in Rails
- Rails - attr_accessible & mass assignment
- Rails 3 syntax with attr_accessible and creating associated objects
- What is the opposite of attr_accessible in Rails?